Revealer Keylogger Free Edition (rkfree) is an easy-to-use, proprietary keylogger for Windows available at no cost. It won’t do for forensic use, but might serve the needs of casual users.

The no-cost version is clearly visible in the Windows task manager as rkfree.exe, “Revealer keylogger Free Edition”. The paid version (€25) claims to be invisible to the task manager and adds remote log delivery (email, FTP). All versions have a scheduled uninstall feature, which would be useful in conjunction with remote log delivery.

The following discusses the no-cost version.

PRE-INSTALLATION NOTES
The makers’ website has a poor reputation on WOT, but the software is considered safe by Cnet. The website’s secure certificate (seen when requesting the https version of the website) looked suspicious on August 2011; use caution if providing data.

In July 2011, rkfree was detected by F-Prot upon installation and by Ad-Aware on running, but was not detected by Windows Defender.

INSTALLATION AND CONFIGURATIONDownload rkfree and install it in the normal manner. An MSI installer is not available, making institution-wide deployment tedious.

Rkfree installs to %SystemDrive%\Program Files\rkfree. The installation location is hardcoded, so it goes there even on versions of Windows localized into languages other than English.

Once installed, open the control panel with the default keybinding Ctrl – Alt – F9 and configure as desired.

USAGE NOTES
Open the control panel as described above to view the key logs. Logs appear in an easy to read format that is fine for casual use. Forensic analysis would need output in a format useful for filtering and parsing, such as that produced by PyKeylogger.

The raw logs are found (on XP) at %SystemDrive%\Documents and Settings\All Users\Program Data\rkfree\data\WINDOWS-USERNAME, with log names taking the format DDMMYYYY.rvl. The raw logs are in an undocumented binary format.

Logs can be manually saved as plain text files. On one installation on Windows 7, they were saved in UTF-16 encoding with no apparent way to change this; I had to convert them to UTF-8 (gedit can do this) before I could use tools such as egrep on the logs.

UNINSTALLING
The control panel contains an uninstallation option. If you excluded rkfree from any malware scanners upon installation, remember to remove the exclusions.

ETHICAL CONSIDERATIONS
Impress on the client the need to comply with local law and to use common sense when implementing user monitoring. Regardless of local law or custom, it is usually wise to clearly inform employees what constitutes acceptable use of employer-provided computers and that management reserves the right to monitor compliance.

3 Responses to User monitoring with Revealer Keylogger

Today morning I found the logs missing from my interface of Revealer keyloggers. But the data is saved in my laptop in .rvl format which is not readable. How do I convert this .rvl log files into any other readable format ?

Hello,
A friend of mine is facing the same issue. :( Have you succeeded maybe to convert the rvl files or have you maybe tried to copy the logs and only put back the one you would like the program to load (or maybe a bunch of them)? I am just thinking on this because suddenly the application behaves that only shows the actualy day log and not the prior ones (as you described), but also the Import button does not work (I thought it should open/read the selected file).
Thanks in advance,
Kind regards,
Balazs